In late 2019, popular online social game maker Zynga was attacked by a hacker who claimed to have accessed 218 million Zynga accounts. Zynga later confirmed that account details were indeed stolen. This the stuff website security nightmares are made of. More than the revenue loss, the loss of trust and diminished reputation will impact business for years to come.
The pandemic has since accelerated eCommerce activities as people hunker down at home and turn to the internet to conduct business, from personal buys to B2B transactions. The downside is that the terrain for hackers has also expanded. Record numbers of these attacks which take advantage of weak points in a company’s remote work setup have occurred in the past year.
For B2B eCommerce, the stakes are higher: aside from breaches to customer data, companies have to defend themselves against corporate espionage. In fact, a Verizon 2020 report showed that 29% of B2B breaches targeted sensitive company information.
Whether protecting against customer data or corporate data theft, security is a must for a seamless eCommerce experience.
However, security is usually an afterthought when building an online presence.
The good news is, eCommerce security has never been stronger and accessible than ever. In this article, we’ll show you the different ways to protect your eCommerce business from data breaches.
Protect Your Customers Using SSL
Do you ever get browser messages warning you of the risk of visiting an unsecured website? That’s what happens when the website lacks an SSL certificate. This can surely scare the bejesus out of shoppers.
To avoid being flagged by this message, your website needs an SSL certificate or Secure Sockets Layer. It allows a secure connection between your online store and shoppers. SSL protects sensitive data such as credit card details, personal information, and login credentials such that they cannot be seen by the naked eye.
How Does SSL Work?
Without getting into the technical nitty-gritty, SSL is a protocol that encrypts data transmission between a website and a visitor. An SSL certificate generates long, random number strings to encrypt or “lock” the message, making it visible only to whoever has the key: the website and the visitor. A hacker intercepting the message will only see a cryptographic code and not the details inside it.
How Do I Get an SSL Certificate?
If you’re hosting the eCommerce site with a third-party provider, for instance, Shopify, Magento, or GoDaddy, your website likely comes with an SSL certificate. To find out, check your website’s URL; it should display a padlock icon and begin with “HTTPS” instead of “HTTP” (the s stands for security). You can also check your plan to see if it includes an SSL.
Otherwise, you may need a webmaster to help you with the process. Generally, it goes like this:
- Set up the server and update your WHOIS record.
- Generate the Certificate Signing Request or CSR on the server, which should contain key information such as your organization name, domain name, and location.
- Submit your CSR to an SSL certificate provider. A quick Google search will lead you to several of these providers.
- Once your domain and company are validated, you’ll receive the SSL certificate.
- Install the certificate on your server.
Make sure to have installed a valid SSL certificate—and properly. The simplest way is to ensure that the certificate is from a trusted SSL provider. You should also see the padlock icon in the address bar when visiting your website. Click on the padlock and look for a message saying the certificate is valid.
There’s also a bunch of paid SSL certificate monitoring tools that regularly check the validity of your SSL certificate for inconsistencies.
Leverage Tokenization
Tokenization is the process of replacing sensitive data like credit card information into randomly generated numbers called “tokens”. The tokens have unrelated value to the original data, making it impossible for hackers to reverse the process mathematically, in short, to hack it.
Tokenization is today’s buzzword for added credit card security spurred by the popularity of mobile wallets. To be sure, tokenization is also used to store credit card details safely in POS software and eCommerce solutions. But with mobile transactions predicted to reach 1.31 billion worldwide in 2023, your payment processing should be leveraging tokenization now to ensure your eCommerce website security.
How Tokenization Works
During a payment transaction, a secure unique string of numbers is issued in real-time for the credit cardholder’s primary account number (PAN). These randomly generated numbers are the ones transmitted through the internet and the payment processing networks to complete the transaction. Meanwhile, the original data is stored in a secure token vault.
How to Add Tokenization to My eCommerce Site?
Your website may already be “tokenized” depending on its payment setup. You can also tap a third party or take a DIY route if you have the technical know-how.
Payment Processors
Popular payment processors like PayPal and Stripe use tokenization. If you are using any of them, you may only need to perform client-side payment integrations to enable tokenization. For instance, you can use PayPal reference transactions to activate tokenization to save you from asking returning buyers for credit card details repeatedly. You can get in touch with your payment processor for details.
Credit Card Companies
Similarly, credit card companies such as Mastercard and Visa offer tokenization solutions that reduce merchant exposure to data breaches. These solutions may or may not be included in your current terms, so double-check with your payment gateway service partner.
TSPs
Another way to “tokenize” your payment transactions is to tap a third-party token service provider (TSP). A TSP may fully take charge of the issuance and management of payment tokens. Or, it may only provide the technology and a cloud platform, but the burden of processing and maintaining a token vault falls on you, such as the case with Visa’s TSP. A quick Google search should point you to the best TSPs in the market today.
Do-It-Yourself
The process of implementing tokenization involves basic technical knowledge in security coding and data warehousing on the merchant side (you). In general, merchant-side activities include converting legacy data to tokens, modifying the message specification sent to the payment processor (ex. PayPal), embedding encryption, and adopting minor business process modifications.
DIY is recommended only if you have a technical team or partner to manage tokenization.
Deciding which route to take to tokenize your payment processing can be tricky. One wrong move can lead to a data breach, sending buyer’s trust plummeting. We at Zobrist have years of B2C and B2B eCommerce experience and can help you choose the best eCommerce payments processing path.
Build Your Website on Established Payment Methods and Gateways
There are several factors to consider when choosing the website platform for your eCommerce like speed, customization, features, and responsive design. But pay close attention to payment integration. That means getting your payment methods and gateways right from the get-go.
Cloud-Hosted eCommerce Platform
If you’re using cloud-hosted eCommerce platforms, your customer data is saved on the provider’s server. That means the burden of security and compliance falls on the provider. Your goal is to ensure that you’re dealing with a reputable and reliable platform host.
Most of the popular cloud-hosted platforms like HCL Commerce and Salesforce Commerce have solid website security infrastructure. But it doesn’t mean smaller providers are less secure.
When dealing with a cloud-hosted provider, consider the following factors:
- Where is your data stored? Does the server (or servers) have security protocols in place?
- Does your provider have SSAE 16 and SOC 2 Type II certifications? These tell you that its systems and data handling are compliant with industry standards.
- Do they meet regulatory compliance such as HIPAA, PCCI, and GDPR? It pays to ensure that your cloud provider is up to date with the latest regulations.
Open-Source eCommerce Platform
Your website may be using an open-source platform. Usually built on open standards like XML and Web services, open-source platforms are preferred for their customizability and flexibility but you are responsible for hosting and protecting your customer data.
Managing an open-source eCommerce is best left to technical experts to make sure that your website is compliant with the security standards mentioned above. If you lack an I.T. team or if you want the tech people to level up to industry standards, Zobrist can help.
You can leverage our years of experience in B2C and B2B eCommerce development and consultation. We support leading technology eCommerce platforms like HCL Commerce, Salesforce Commerce Cloud, and Adobe Commerce Cloud. The bottom line is to give you bank-grade secure payment transfers at minimal fees.
Furthermore, if you perform B2B eCommerce, we can help you set up flexible payment options designed for volume, recurring orders, or other unique B2B needs.
You can also get an integrated solution featuring secure payment processing with a fast-loading, mobile-first eCommerce site fitted with fulfillment, inventory management, ERP, and other back-office features.
Whether you’re opting for a cloud-hosted or an open-source eCommerce platform, your online store should ensure website security and PCI compliance at its foundation when handling customer data.
Practice Secure Coding Standards During Development
Having a security-first mindset mitigates data breach risks and catastrophic business losses down the road. This is true whether you are building on an open-source platform, using a cloud-hosted solution, or creating your website from scratch.
Never compromise website security for development speed or budget cuts. Aside from following our security tips above, here are other factors to consider to make coding secure.
Manage Passwords
Implementing passwords is one of the most common and effective security protocols to prevent breaches. Yet it is easy to overlook or take for granted.
Do not skimp on password management by requiring a minimum of eight characters, mixing upper and lower case letters with numerals and special characters for complexity. Also, require multi-factor authentication and disable access for multiple incorrect login attempts.
Deny by Default
Leave nothing to complacency when dealing with sensitive data. That means assuming all users are hackers until proven otherwise. So put the burden of authentication on users. They should be made to hurdle an authentication process (ex. passwords, IP check, etc.) to get access.
Watch Out for SQL Injection
A malicious SQL injection typically happens through web forms or URL parameters, which the hacker manipulates to gain access to your database. To prevent this attack, use parameterized queries, which most web languages allow to prevent rogue codes from being inserted into an SQL query.
Document Error Logs
Error logs can be recoverable, unrecoverable, predicted, unpredicted, or a combination of these types. While errors and bugs are a part of software development, they may indicate weak points or other vulnerabilities in your coding.
Thus, having a protocol to document these errors is critical. With documentation in place, you can pay closer attention to suspicious or recurring error logs and address the issues before they cause harm.
Conduct Regular System Updates
Secure coding does not end with launching the system successfully. It is a continuous process of checking and re-checking for vulnerabilities, abnormal activities, and other issues throughout the system’s lifecycle.
Hence, make it a coding policy to perform threat modeling across the development stages and on a regular basis post-rollout. Best practices include conducting regular patching of the system, frequently updating website security tools to guard against new forms of hacking or phishing, and keeping a regular schedule of analyzing the source code for risks.
Give Your Customers Peace of Mind
Ensuring your eCommerce website security eats up the time and effort that otherwise are best reserved for growing your business. More importantly, getting it right from the start is critical.
Even though website security is not your core business, do not skimp on it. Because at the end of the day, when you protect your customers, you protect your business.
We Can Help You Overcome Security Challenges
We develop managed eCommerce that integrates commerce, analytics, and payment technologies built on secure eCommerce technology platforms.
Specifically, our B2B eCommerce development and consulting solutions cover a wide range of sectors such as manufacturing, healthcare, automotive, food, office supply, and electronics. Get in touch and schedule a free demo today.